This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

how to apply quota policy to differentiate between two users with same ApiKey.

Posted on 05-14-2018 07:18 AM
plvndinesh1993
New Member
Reply posted on --/--/---- --:-- AM

I have created a proxy with apikey security and attached quota policy to it .how can i differentiate the quota policy for two user with same ApiKey.

1 1 872
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

As you know, the configuration for the Quota policy in Apigee Edge accepts an identifier. This is just a "bucket identifier", and any Quota policy that is enforced with this identifier will apply the counted request against that identifier. 

<Quota name='Quota-1'>
  <Interval>1</Interval>
  <TimeUnit>minute</TimeUnit>
  <Allow>1000</Allow>
  <Identifier>example<Identifer>
  <Distributed>true</Distributed>
  <Synchronous>false</Synchronous>
  <PreciseAtSecondsLevel>false</PreciseAtSecondsLevel>
</Quota>

For example if you have a Quota policy with ID "example", allowing 1000 calls per minute, and every app in your ecosystem uses that same identifier, then, in aggregate, the apps in your ecosystem will be allowed to make 1000 calls per minute. maximum, without regard for the number of apps, the number of users running those apps, the number of requests per app, and so on. If user1 starts up app1 and makes 1000 calls in 10 seconds, then that exhausts the quota for the next minute, for all apps.

This is why most quota policies will use a variable, to specify the identifier. If you use the API Key as the identifier, then you would get a separate 1000/minute quota for each distinct app. Not each distinct app INSTANCE, but each app. Suppose you have an iOS app, that is distribtued to 1000 users. If you have a quota of 1000/minute, then that quota would count the aggregate number of calls across ALL instances of that app. 

<Quota name='Quota-1'>
  ...
  <Identifier ref='client_id'/> <!-- aka API key -->
  ...
</Quota>

If you have two USERS who are using the same API Key, then you need to employ some additional information in the identifier for the quota. Perhaps the username if you know it. Or, something else. Maybe the client IP Address? but that's a weak substitute for user name.

Enforcing a per-user quota requires that the inbound request to . Apigee Edge carries some information by which Apigee Edge could distinguish between a request from user 1, and a request from user2. If the inbound request does not carry that information, then Apigee Edge cannot "know" that different users are sending these requests.

<Quota name='Quota-1'>
   ...
  <Identifier ref='user_name'/> <!-- something from the request -->
   ...
0 Likes